PROGRAM ANALYSIS & SYNTHESIS

Transcription

1 Lecture Partial Programs, Program Repair, and Sketching PROGRAM ANALYSIS & SYNTHESIS EranYahav

2 Previously Synthesis from examples SMARTEdit String processing in spreadsheet from examples (a little bit)

3 Today Program Repair as a Game angelic non-determinism in the program Sketching completion of partial programs using a backing SAT solver Acks Program Repair slides from Barbara Jobstmann Sketching slides cannibalized from Armando Solar-Lezama 3

4 Reactive Systems Synthesis Systems (e.g., servers) Interact with environment Infinite duration (non-terminating) Finite data (or data abstractions) Control-oriented Verification Specifications Set of good behaviors (a language) Temporal logic (including safety and liveness) data Analysis [Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems., 99] [N. Halbwachs. Synchronous Programming of Reactive Systems. 993] time 4

5 How to verify a Reactive System? Core algorithm for linear-time temporal logic:. Source code auto/manual transition system (FSM). Specification auto/manual monitor violations 3. Check if model has a violating trace product of trans. system and monitor check for exists of a trace in product (emptiness) L(Program) L(Specification) L(Program) L( Specification) = L(Program Specification) = 5

6 Source Code unsigned int got_lock = 0;... : while(*) {... : if (*) { 3: lock(); 4: got_lock++;... 5: if (got_lock!= 0) { 6: unlock(); 7: got_lock--;... lock() lock: {LOCK:=; unlock() unlock: {LOCK:=0; 6

7 Step : Transition System int[0,,] got_lock = 0;... : while(*) {... : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock++;... 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock--;... 8: Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl= l=, gl= l=, gl=0 l=3, gl=0 l=lock,gl=0... l=, gl= l=3, gl= l=lock,gl= l=4, gl=0 l=4, gl= l=5, gl=0 l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= l=8, gl=

8 Specification P: do not acquire a lock twice P: do not call unlock without holding the lock P: always( line=lock implies next(line!=lock w-until line=unlock)) P: ( line!=unlock w-until line=lock )) and always( line=unlock implies next( line!=unlock w-until line=lock )) 8

9 Linear-Time Temporal Logic [Pnueli77] Syntax: Atomic propositions, e.g., line=, line!=, got_lock=0 Boolean operators: not, and, or, implies,... Temporal operators: next (ϕ) ϕ until ϕ... ϕ holds in the next step... ϕ holds until at some point ϕ holds Used in industrial spec languages PSL/SVA Can express many interesting properties, e.g., mutual exclusion, deadlock freedom, termination 9

10 Linear-Time Temporal Logic Semantics defined with respect to infinite traces in each step atomic propositions holds or not E.g., line=, got_lock line= line= got_lock... 0

11 Linear-Time Temporal Logic Semantics next (ϕ)... ϕ holds in the next step ϕ... ϕ until ϕ... ϕ holds until at some point ϕ holds ϕ ϕ ϕ ϕ ϕ System S satisfies/models ϕ, if all its behaviors satisfy ϕ

12 How to verify a Reactive System? Core algorithm for linear-time temporal logic:. Source code auto/manual transition system (FSM). Specification auto/manual monitor violations 3. Check if model has a violating trace product of trans. system and monitor check for exists of a trace in product (emptiness)

13 Step : Monitor for Violations P: always( line=lock implies next( line!=lock w-until line=unlock )) = not eventually( line=lock and next( line!=unlock until line=lock )) line!=unlock line=lock line=lock 3 s: non-deterministic choice s: no edge with line=unlock Automaton accepts trace/behavior if a green state is visited infinitely often (Büchi ) Why do we track bad and not good behaviors? L(S) L(ϕ): forall w: w L(S) w L(ϕ) exists w: w L(S) w L( ϕ) 3

14 Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl=0... l=, gl= l=3, gl=0 l=3, gl= l=lock,gl=0 l=lock,gl= l=4, gl=0 l=4, gl= l=5, gl=0 l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl= line=loc k line=lock 3 4

15 Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl=0... l=, gl= l=3, gl=0 l=3, gl= l=lock,gl=0 l=4, l=4, gl=0 gl=0 l=lock,gl= l=4, gl= l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= unlock, l=6, gl= unlock, l=6, gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl= line=loc k line=lock 3 5

16 Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl= l=, gl=0... l=, gl= l=, gl= l=3, gl=0 l=3, gl= l=3, gl= l=lock,gl=0 l=lock,gl= l=lock,gl= l=4, l=4, gl=0 gl=0 l=4, gl= l=4, gl= l=4, gl= 3 l=5, gl=0 l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= unlock, l=6, gl= unlock, l=6, gl= l=unlock,gl= l=7, gl=0 l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl= line=loc k line=lock 3 Recall, we want to show a violation: 6

17 Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl= l=, gl=0... l=, gl= l=, gl= l=3, gl=0 l=3, gl= l=3, gl= l=lock,gl=0 l=lock,gl= l=lock,gl= l=4, l=4, gl=0 gl=0 l=4, gl= l=4, gl= l=4, gl= 3 l=5, gl=0 l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= unlock, l=6, gl= unlock, l=6, gl= l=unlock,gl= l=7, gl=0 l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl= line=loc k line=lock Recall, we want to show a violation: non-determinism in transition system and in monitor pull in the same direction (both can be used to violate property) 3 7

18 Source Code int[0,,] got_lock = 0;... : while(*) {... : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock++;... 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock--;... 8: line = line = line = 5 line = 7 line = line = line = 3 line = lock line = 4 line = 5 line = 7 line = line = line = 3 line = lock 8

19 How to verify a Reactive System? Core algorithm for linear-time temporal logic:. Source code auto/manual transition system (FSM). Specification auto/manual monitor violations 3. Check if model has a violating trace product of trans. system and monitor check for exists of a trace in product (emptiness) But how to repair it? 9

20 How to repair a Reactive System?. Add freedom (choice for the system, allowed ways to modify system). Source code a/m transition system (game) 3. Specification a/m monitor acceptance 4. Check if we can find system choices s.t. model is accepted by monitor product of trans. system and monitor search for winning strategy in game 0

21 Step : Freedom int[0,,] got_lock = 0; int[0,,] freedom;... : while(*) {... : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom;... 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom;... 8: (We can also extend to fault localization)

22 Step : Game int[0,,] got_lock = 0; int[0,,] freedom;... : while(*) {... : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom;... 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom;... 8: Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=3, gl=0 l=lock,gl=0 l=4, gl=0 l=5, gl=0 f=0 f= l=7, gl=0 l=8, gl=0 f= l=, gl=... l=5, gl= l=6, gl= l=unlock,gl= l=7, gl= l=, gl= l=, gl= l=3, gl= l=lock,gl= l=4, gl= f=0 f= f= f= f=0 l=5, gl= l=6, gl= l=unlock,gl= l=7, gl=......

23 Step : Game int[0,,] got_lock = 0; int[0,,] freedom;... : while(*) {... : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom;... 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom;... 8: Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=3, gl=0 l=lock,gl=0 l=4, gl=0 l=5, gl=0 f=0 f= l=7, gl=0 l=8, gl=0 f= l=, gl=... l=5, gl= l=6, gl= l=unlock,gl= l=7, gl= l=, gl= l=, gl= l=3, gl= l=lock,gl= l=4, gl= f=0 f= f= f= l=5, gl= l=6, gl= l=unlock,gl= l=7, gl= Two types of non-determinism! 3 f=0

24 Step : Game int[0,,] got_lock = 0; int[0,,] freedom;... : while(*) {... : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom;... 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom;... 8: Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 f=0 f= l=7, gl=0 l=8, gl=0 f= l=, gl=... l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=, gl= l=, gl= l=3, gl= l=lock, gl= l=4, gl= f=0 f= f= f= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= Two types of non-determinism! 4 f=0

25 Step 3: Monitor for Acceptance P: always( line=lock implies next( line!=lock w-until line=unlock )) line!=lock line=lock line!=lock & line!=unlock line=unlock line=lock Since game has two types of non-determinism, we need to be careful with non-determinism in monitor. 5

26 Problem with Nondeterminism Coffee machine is correct if there is no water or if button is pressed machine serves coffee: eventually always(not water) or always(pressed implies eventually coffee) and always(not water implies not coffee) w=0 w= or c=0 p= and (w= or c=0) c=0 or w= O K p=0 and w= or c=0 O K c= and w= (Coffee machine wins if it visits a green state infinitely often) 6

27 Step 3: Det. Monitor for Acceptance P: always( line=lock implies next( line!=lock w-until line=unlock )) line!=lock line=lock line!=lock & line!=unlock 3 line=unlock line=lock Classical approach: make it deterministic (more powerful acceptance required) 7

28 Step 3: Product TS for got_lock in {0, Deterministic automaton l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l!=lock l=lock l!=lock & l!=unlock l=4, gl=0 l=5, gl=0 l=4, gl=0 0 0 l=5, gl= l=6, gl= l=unlock, gl= 0 0 l=unlock l=lock 3 l=7, gl=0 l=7, gl= l=8, gl=0... 8

29 Step 3: Produce l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 0 0 l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= 0 0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= 3 l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 9

30 Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= 3 l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 30

31 Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= 3 l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 3

32 Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= 3 l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 3

33 Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= 33

34 Step 4: Winning Strategy l=, gl=0 l=, gl= In general: strategy is function of program and monitor state l=, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 0 l=5, gl=0 l=7, gl=0 0 0 l=, gl= l=3, gl=0 l=lock, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=4, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= Strategy to Repair: if (l=4 & gl=0 & s=) freedom:=0 if (l=4 & gl= & s=) freedom:= if (l=4 & gl=0 & s=0) freedom:= if (l=7 & gl=0 & s=) freedom:=0 if (l=7 & gl= & s=) freedom:=0.. freedom := f(l,gl,s) if (line=4) freedom := (gl=) (s=) if (line=7) freedom := 0 l=8, gl=0 l=8, gl= What we actually do: merge states before picking the strategy 34

35 Step 4: Winning Strategy l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= l=5, gl=0 l=5, gl= 0 0 l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= 35

36 Step 4: Winning Strategy (line=4): freedom= (line=7): freedom= 0 l=, gl=0 l=, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 0 0 l=7, gl=0 l=, gl= l=, gl= l=3, gl=0 l=lock, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=8, gl=0 l=8, gl= 36

37 Repaired Program unsigned int got_lock = 0;... : while(*) {... : if (*) { 3: lock(); 4: got_lock = ;... 5: if (got_lock!= 0){ 6: unlock(); 7: got_lock = 0;... lock() { lock: LOCK:=; unlock(){ unlock: LOCK:=0; Specification P: do not acquire a lock twice P: do not call unlock without holding the lock P: always( line=lock implies next( line!=lock w-until line=unlock )) P: ( line!=unlock w-until line=lock )) and always( line=unlock implies next( line!=unlock w-until line=lock )) (slide adapted with permission from Barbara Jobstmann) 37

38 Recap: How to Repair a Reactive System?. Add freedom choice for the system, space of permitted modifications to the system. Source code transition system (game) non-determinism in the program (demonic) non-determinism in permitted modification (angelic) 3. Specification monitor acceptance 4. Check if we can find system choices s.t. model is accepted by monitor product of trans. system and monitor search for winning strategy in game 38

39 Program Repair Program Finite-state program Game Game TS: program with freedom Solve game Monitor Monitor TS: Winning condition (Simple) Strategy Specification Correct Program with Bloem, Griesmayer, Staber in CAV 005, CHARME 005 (+ext to fault localization)

40 Classical Controller Synthesis FSM + freedom + monitor Initially defined for invariants Game Game TS + winning cond. Solve game (Simple) Strategy Correct Program Ramadge, Wonham 87, Book by Cassandras, Lafortune 99/07

41 Synthesis from Temporal Logics Game Solve game Monitor + interface definition Monitor TS: Winning condition (Simple) Strategy Specification Correct Program Church (96), Büchi/Landweber (969, games), Rabin (97, trees), Pnueli/Rosner (989, LTL)

42 Program Synthesis Program Game FSM + freedom Game TS Solve game Monitor Monitor TS: Winning condition (Simple) Strategy Specification Correct Program Modern Controller Synthesis, see overview papers by Walukiewicz et al., Rutten & Girault,...

43 Issues? Program How to abstract? FSM + freedom Game Game TS Size? Solve game How to solve efficiently? How to construct efficiently? Monitor Monitor TS: Winning condition How expressive? Size? (Simple) Strategy How to pick a strategy? How to specify? Specification Related research areas: How to map PL, AV, Control Theory, back? Game and Automata Theory Correct Program

44 Issues with Monitor for LTL Determinization construction (Safra s) EXP worst case complexity LTL is very succinct How to construct efficiently? Monitor Monitor TS: Winning condition How expressive? Size?

45 Some Solutions Concentrate on subsets (different types of games) Ramadge, Wonham (Proc IEEE 89) Asarin, Maler, Pnueli, Sifakis (SSC 98) Alur, La Torre (LICS'0) Alur, Madhusudan, Nam (BMC'03, STTT'05) Wallmeier, Hütter, Thomas (CIAA'03) Harding, Ryan, Schobbens (TACAS'05) Jobstmann, Bloem (CAV 05) Piterman, Pnueli, Sa'ar (VMCAI'06) (base of our work on synthesizing AMBA) Optimize or avoid determinzation construction Althoff, Thomas, Wallmeier (CIAA'05,TCS'06) Piterman, Henzinger (CSL'06) Kupferman, Vardi (FOCS'05) Kupferman, Piterman, Vardi (CAV'06) Schewe, Finkbeiner (ATVA'07), Filiot, Jin, Raskin (CAV'09) Symbolic representation (e.g., using BDDs) Safety, Reachability Büchi, co-büchi Det. generators for several subsets Safety+ using SAT, QBF, and BDDs Request-Response Work with nondet. automaton Identified syntactic subset Generalized Reactivity- (GR-) Implemented Safra Improved Safra, Good-for-game Bounded Synthesis (using co-büchi)

46 Next More partial programs this time with Sketching 46

47 What is sketching? A program synthesis system generates small fragments of code checks their validity against a specification A programming aid help you write tricky programs cleverness and insight come from you sorry, no programming robots computer helps with low-level reasoning

48 The sketching experience sketch implementation (completed sketch)

49 Sketch language basics Sketches are programs with holes write what you know use holes for the rest semantic issues specifications How does SKETCH know what program you actually want? holes Constrain the set of solutions the synthesizer may consider

50 Specifications Specifications constrain program behavior assertions assert x > y; function equivalence blockedmatmul(mat a, Mat b) implements matmul Is this enough?

51 Holes Holes are placeholders for the synthesizer synthesizer replaces hole with concrete code fragment fragment must come from a set defined by the user

52 Integer hole Define sets of integer constants Example: Hello World of Sketching spec: int foo (int x) { return x + x; sketch: int bar (int x) implements foo { return x *??; Integer Hole

53 Integer Holes Sets of Expressions Example: Find least significant zero bit Trick: int W = 3; bit[w] isolate0 (bit[w] x) { // W: word size bit[w] ret = 0; for (int i = 0; i < W; i++) if (!x[i]) { ret[i] = ; return ret; Adding to a string of ones turns the next zero to a i.e = 00000!(x +??) & (x +??)!(x + ) & (x + 0)!(x + 0) & (x + )!(x + ) & (x + 0xFFFF)!(x + 0xFFFF) & (x + )

54 Integer Holes Sets of Expressions Example: Least Significant Zero Bit int W = 3; bit[w] isolate0 (bit[w] x) { // W: word size bit[w] ret = 0; for (int i = 0; i < W; i++) if (!x[i]) { ret[i] = ; return ret; bit[w] isolatesk (bit[w] x) implements isolate0 { return!(x +??) & (x +??) ;

55 Integer Holes Sets of Expressions Least Significant One Bit int W = 3; bit[w] isolate0 (bit[w] x) { // W: word size bit[w] ret = 0; for (int i = 0; i < W; i++) if (x[i]) { ret[i] = ; return ret; Will the same trick work? try it out

56 Integer Holes Sets of Expressions Expressions with?? == sets of expressions linear expressions x*?? + y*?? polynomials x*x*?? + x*?? +?? sets of variables??? x : y Semantically powerful but syntactically clunky Regular Expressions are a more convenient way of defining sets

57 Regular Expression Generators { RegExp RegExp supports choice and optional? can be used arbitrarily within an expression to select operands { (x y z) + to select operators { x (+ -) y to select fields { n(.prev.next)? to select arguments { foo( x y, z) Set must respect the type system all expressions in the set must type-check all must be of the same type

58 Least Significant One revisited How did I know the solution would take the form!(x +??) & (x +??). What if all you know is that the solution involves x, +, & and!. bit[w] tmp=0; { x tmp = { (!)?((x tmp) (& +) (x tmp??)) ; { x tmp = { (!)?((x tmp) (& +) (x tmp??)) ; return tmp; This is now a set of statements (and a really big one too)

59 Sets of statements Statements with holes = sets of statements Higher level constructs for Statements too repeat bit[w] tmp=0; repeat(3){ { x tmp = { (!)?((x tmp) (& +) (x tmp??)) ; return tmp;

60 repeat Avoid copying and pasting repeat(n){ s s;s; s; each of the n copies may resolve to a distinct stmt n can be a hole too. bit[w] tmp=0; repeat(??){ { x tmp = { (!)?((x tmp) (& +) (x tmp??)) ; return tmp; Keep in mind: the synthesizer won t try to minimize n use --unrollamnt to set the maximum value of n n

61 Example: logcount int pop (bit[w] x) { int count = 0; for (int i = 0; i < W; i++) { if (x[i]) count++; return count;

62 Procedures and Sets of Procedures types of procedures standard procedures represents a single procedure all call sites resolve to the same procedure identified by the keyword static generators represents a set of procedures each call site resolves to a different procedure in the set default in the current implementation

63 Example int rec(int x, int y, int z){ int t =??; if(t == 0){return x; if(t == ){return y; int spec( int x, int y, int z ){ return (x + x) * (y - z); if(t == ){return z; if(t == 3){return rec(x,y,z) * rec(x,y,z); if(t == 4){return rec(x,y,z) + rec(x,y,z); if(t == 5){return rec(x,y,z) - rec(x,y,z); int sketch( int x, int y, int z ) implements spec{ return rec(x,y, z);

64 Step : Turn holes into special inputs The?? Operator is modeled as a special input we call them control inputs bit[w] isolsk(bit[w] x) { return ~(x +??) & (x +??); bit[w] isolsk(bit[w] x, bit[w] c, c) { return ~(x + c) & (x + c); Bounded candidate spaces are important bounded unrolling of repeat is important bounded inlining of generators is important

65 Step : Constraining the set of controls Correct control causes the spec & sketch to match for all inputs causes all assertions to be satisfied for all inputs Constraints are collected into a predicate Q(in, c)

66 int popsketched (bit[w] x) implements pop { loop (??) { x = (x &??) + ((x >>??) &??); return x; x & >> mux x & >> mux x & + & + & >> S(x,c) = x mux + &

67 Ex : Population count. int pop (bit[w] x) { int count = 0; for (int i = 0; i < W; i++) { if (x[i]) count++; return count; x count one count count + mux + mux + Q(in, c) S(x,c)==F(x) F(x) = count count mux mux +

68 A Sketch as a constraint system Synthesis reduces to constraint satisfaction c x.q(x,c) Constraints are too hard for standard techniques Universal quantification over inputs Too many inputs Too many constraints Too many holes

69 Insight Sketches are not arbitrary constraint systems They express the high level structure of a program A small set of inputs can fully constrain the soln focus on corner cases c x in E.Q(x,c) where E = {x, x,, x k This is an inductive synthesis problem! but how do we find the set E? and how do we solve the inductive synthesis problem?

70 Step 3: Counterexample Guided Inductive Synthesis Idea: Couple inductive synthesizer with a verifier Verifier is charged with detecting convergence succeed candidate implementation Inductive Synthesizer Derive candidate implementation from concrete inputs fail buggy Validation Verification as a subproblem ok c x in E.Q(x,c) fail observation set E Standard implementation uses SAT based bounded checker

71 Inductive Synthesis Deriving a candidate from a set of observations c x in E.Q(x,c) where E = {x, x,, x k Encode c as a bit-vector natural encoding given the integer holes Encode Q(x i, c) as boolean constraints on the bit-vector Solve constraints using SAT solver with lots of preprocessing in between

72 Summary 7